openSUSE has issued an advisory on March 13: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2VPBSF65DTMKEEGFEJY6QEGJSZY7TSKV/
It seems that CVE-2025-1632 only affects Cauldron.
CVE: (none) => CVE-2025-25724Source RPM: (none) => libarchive-3.7.7-2.mga10.src.rpm, libarchive-3.6.2-5.3.mga9.src.rpmWhiteboard: (none) => MGA9TOO
Assignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. (CVE-2025-25724) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2VPBSF65DTMKEEGFEJY6QEGJSZY7TSKV/ ======================== Updated packages in core/updates_testing: ======================== bsdcat-3.6.2-5.4.mga9 bsdcpio-3.6.2-5.4.mga9 bsdtar-3.6.2-5.4.mga9 lib(64)archive13-3.6.2-5.4.mga9 lib(64)archive-devel-3.6.2-5.4.mga9 from SRPM: libarchive-3.6.2-5.4.mga9.src.rpm
Source RPM: libarchive-3.7.7-2.mga10.src.rpm, libarchive-3.6.2-5.3.mga9.src.rpm => libarchive-3.6.2-5.3.mga9.src.rpmVersion: Cauldron => 9Whiteboard: MGA9TOO => (none)Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNED
Keywords: (none) => advisory
RH x86_64 installing bsdtar-3.6.2-5.4.mga9.x86_64.rpm lib64archive13-3.6.2-5.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64archive13 ################################################################################################## 2/2: bsdtar ################################################################################################## 1/2: removing bsdtar-3.6.2-5.3.mga9.x86_64 ################################################################################################## 2/2: removing lib64archive13-3.6.2-5.3.mga9.x86_64 ################################################################################################## Go to my Image folder bsdtar -c -f ~/archtar * examined archtar with ark, all files and folders checked OK strace ark Not shows "/lib64/libarchive.so.13" this time ????? but works, extract ~/archtar without issues strace bsdtar -c -f ~/archtar * , shows openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3 strace vlc shows openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 4 play video with vlc PK LC_ALL=C urpmi bsdcpio installing bsdcpio-3.6.2-5.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: bsdcpio ################################################################################################## rpm2cpio ~/rpmfile.rpm|bsdcpio -idmv extract with success the content of the rpm Looks good to me
Me, too. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0102.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED